- Apr 24, 2016
A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations.
The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks.
"It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks," explains the Check Point report.
"Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers."
The deployed malware allows the threat actors full access to the device, including running shell commands, uploading and downloading files, and using it as a SOCKS proxy to relay communication between devices.
The Horse Shell TP-Link firmware implant was discovered by Check Point Research in January 2023, who says the hackers' activity overlaps with the Chinese "Mustang Panda" hacking group recently detailed in Avast and ESET reports.
Check Point tracks this activity separately using the "Camaro Dragon" name for the activity cluster despite the similarities and considerable overlap with Mustang Panda.
The attribution was made based on attackers' server IP addresses, requests featuring hard-coded HTTP headers found on various Chinese websites, many typos in the binary code that show the author isn't a native English speaker, and functional similarities of the trojan with the APT31 "Pakdoor" router implant.
While Check Point has not determined how the attackers infect TP-Link routers with the malicious firmware image, they said it could be by exploiting a vulnerability or brute-forcing the administrator's credentials.
Once a threat actor gains admin access to the management interface, they can remotely update the device with the custom firmware image.
Through investigation, Check Point found two samples of trojanized firmware images for TP-Link routers, both containing extensive modifications and file additions.
Check Point compared the malicious TP-Link firmware with a legitimate version and found that the kernel and uBoot sections were the same. However, the malicious firmware utilized a custom SquashFS filesystem that contained additional malicious file components that are part of the Horse Shell backdoor malware implant.
"Parts of it are internally named Horse Shell so we use it to name the implant as a whole. The implant provides the attacker with 3 main functionalities: remote shell, file transfer, and tunneling," explains Check Point.
The firmware also modifies the management web panel, preventing the device's owner from flashing a new firmware image for the router and ensuring the persistence of the infection.